The present invention relates to a method for controllably and securely exchanging privacy sensitive data units.
The present invention further relates to a system for controllably and securely exchanging privacy sensitive data units.
The present invention still further relates to a certified intermediary server for controllably managing a secure exchange of privacy sensitive data units between certified party servers.
The present invention still further relates to a certified party server for controllably sharing privacy sensitive data units with other certified party servers in a secure manner.
Privacy sensitive data, e.g. medical data concerning a patient, may be distributed between different institutions. For example one institution may be the patient's general practitioner holding records about previous consults by the patient, another institution is a diagnostic center which stores medical imaging data and again another institution is a hospital associated with a medical specialist treating the patient. On the one hand it is desired to provide for an efficient exchange of medical data, for example enabling the medical specialist to obtain all necessary information to optimally treat the patient. On the other hand such exchange should be carefully controlled to ensure that the exchanged privacy sensitive data is visible only to authorized parties. In particular, new legislation demands explicit and specific approval by the person involved, e.g. the patient to which the medical data relate. The person involved may assign for each data unit a different authorization, therewith providing a set of authorizations defining for each combination of a requesting party and a potentially providing party, which privacy sensitive data may be transmitted by that potentially providing party to the requesting party and which requests may be received by the potentially providing party from the requesting party. This may for example depend on the degree of confidentiality guaranteed by an institution. The person involved may for example specify that an institution having a lower degree of confidentiality does not receive certain privacy sensitive data units, e.g. psychiatric records, whereas the same person authorizes that institution to provide information about his blood type. The authorization given by the person involved may for example depend further on the reliability of the data provided by an institution. The person may for example exclusively authorize a particular institution to provide X-ray imaging data, as this particular institution is known to provide this data at a high quality. Although in some instances private networks may be available for the exchange, in practice a public network is available. As indicated above, the set of authorizations may also include authorizations specifying which requests may be received by the potentially providing party from the requesting party.
This is because a request for privacy sensitive data concerning a person can be indicative about that person's situation or mental or physical state. For example a request to provide a copy of a psychiatric report of a persons implies or suggests the existence of a psychiatric disorder. In addition, even the set of authorizations itself is to be treated as privacy sensitive as such authorizations or the lack thereof are indicative of a person's situation or mental or physical state, for example an indication in said set of authorizations that certain institutions are not authorized to receive requests or responses concerning HIV medication. Accordingly, there is a need to provide means that enables authorized control of exchange of privacy sensitive data between certified parties on a public network while avoiding intrusion by unauthorized parties and while restricting access to said authorizations by other parties, including said certified parties.